GitLab

at 2025-02-27T16:08:04+01:00

Bug 1910593 - Don't prefetch HTTPS RR if proxyDNS is enabled, r=necko-reviewers,valentin

Differential Revision: https://phabricator.services.mozilla.com/D219528

   boolean trr = false;

   DOMString originAttributesSuffix = "";

   DOMString flags = "";

+  unsigned short type = 0;

 };

 [GenerateConversionToJS]

       CopyASCIItoUTF16(dnsData->mData[i].hostaddr[j], *addr);

     }

-    if (dnsData->mData[i].family == PR_AF_INET6) {

-      entry.mFamily.AssignLiteral(u"ipv6");

-    } else {

-      entry.mFamily.AssignLiteral(u"ipv4");

+    entry.mType = dnsData->mData[i].resolveType;

+    if (entry.mType == nsIDNSService::RESOLVE_TYPE_DEFAULT) {

+      if (dnsData->mData[i].family == PR_AF_INET6) {

+        entry.mFamily.AssignLiteral(u"ipv6");

+      } else {

+        entry.mFamily.AssignLiteral(u"ipv4");

+      }

     }

     entry.mOriginAttributesSuffix =

 struct DNSCacheEntries {

   nsCString hostname;

   nsTArray<nsCString> hostaddr;

-  uint16_t family;

-  int64_t expiration;

-  nsCString netInterface;

-  bool TRR;

+  uint16_t family{0};

+  int64_t expiration{0};

+  bool TRR{false};

   nsCString originAttributesSuffix;

   nsCString flags;

+  uint16_t resolveType{0};

 };

 struct HttpConnInfo {

     WriteParam(aWriter, aParam.hostaddr);

     WriteParam(aWriter, aParam.family);

     WriteParam(aWriter, aParam.expiration);

-    WriteParam(aWriter, aParam.netInterface);

     WriteParam(aWriter, aParam.TRR);

+    WriteParam(aWriter, aParam.originAttributesSuffix);

+    WriteParam(aWriter, aParam.flags);

+    WriteParam(aWriter, aParam.resolveType);

   }

   static bool Read(MessageReader* aReader, paramType* aResult) {

            ReadParam(aReader, &aResult->hostaddr) &&

            ReadParam(aReader, &aResult->family) &&

            ReadParam(aReader, &aResult->expiration) &&

-           ReadParam(aReader, &aResult->netInterface) &&

-           ReadParam(aReader, &aResult->TRR);

+           ReadParam(aReader, &aResult->TRR) &&

+           ReadParam(aReader, &aResult->originAttributesSuffix) &&

+           ReadParam(aReader, &aResult->flags) &&

+           ReadParam(aReader, &aResult->resolveType);

   }

 };

       continue;

     }

-    // For now we only show A/AAAA records.

-    if (!rec->IsAddrRecord()) {

-      continue;

-    }

-

-    RefPtr<AddrHostRecord> addrRec = do_QueryObject(rec);

-    MOZ_ASSERT(addrRec);

-    if (!addrRec || !addrRec->addr_info) {

-      continue;

-    }

-

     DNSCacheEntries info;

+    info.resolveType = rec->type;

     info.hostname = rec->host;

     info.family = rec->af;

+    if (rec->mValidEnd.IsNull()) {

+      continue;

+    }

     info.expiration =

         (int64_t)(rec->mValidEnd - TimeStamp::NowLoRes()).ToSeconds();

     if (info.expiration <= 0) {

       continue;

     }

-    {

+    info.originAttributesSuffix = recordEntry.GetKey().originSuffix;

+    info.flags = nsPrintfCString("%u|0x%x|%u|%d|%s", rec->type,

+                                 static_cast<uint32_t>(rec->flags), rec->af,

+                                 rec->pb, rec->mTrrServer.get());

+

+    RefPtr<AddrHostRecord> addrRec = do_QueryObject(rec);

+    if (addrRec && addrRec->addr_info) {

       MutexAutoLock lock(addrRec->addr_info_lock);

       for (const auto& addr : addrRec->addr_info->Addresses()) {

         char buf[kIPv6CStrBufSize];

       info.TRR = addrRec->addr_info->IsTRR();

     }

-    info.originAttributesSuffix = recordEntry.GetKey().originSuffix;

-    info.flags = nsPrintfCString("%u|0x%x|%u|%d|%s", rec->type,

-                                 static_cast<uint32_t>(rec->flags), rec->af,

-                                 rec->pb, rec->mTrrServer.get());

-

     args->AppendElement(std::move(info));

   }

 }

 namespace mozilla {

 namespace net {

+extern const char kProxyType_SOCKS[];

+

 const uint32_t kHttp3VersionCount = 5;

 const nsCString kHttp3Versions[] = {"h3-29"_ns, "h3-30"_ns, "h3-31"_ns,

                                     "h3-32"_ns, "h3"_ns};

   aCaps = (aCaps | NS_HTTP_DISALLOW_HTTPS_RR) & ~NS_HTTP_FORCE_WAIT_HTTP_RR;

 }

+ProxyDNSStrategy GetProxyDNSStrategyHelper(const char* aType, uint32_t aFlag) {

+  if (!aType) {

+    return ProxyDNSStrategy::ORIGIN;

+  }

+

+  if (!(aFlag & nsIProxyInfo::TRANSPARENT_PROXY_RESOLVES_HOST)) {

+    if (aType == kProxyType_SOCKS) {

+      return ProxyDNSStrategy::ORIGIN;

+    }

+  }

+

+  return ProxyDNSStrategy::PROXY;

+}

+

 }  // namespace net

 }  // namespace mozilla

 void DisallowHTTPSRR(uint32_t& aCaps);

+enum class ProxyDNSStrategy : uint8_t {

+  // To resolve the origin of the end server we are connecting

+  // to.

+  ORIGIN = 1 << 0,

+  // To resolve the host name of the proxy.

+  PROXY = 1 << 1

+};

+

+ProxyDNSStrategy GetProxyDNSStrategyHelper(const char* aType, uint32_t aFlag);

+

 }  // namespace net

 }  // namespace mozilla

   }

   auto shouldSkipUpgradeWithHTTPSRR = [&]() -> bool {

+    if (mCaps & NS_HTTP_DISALLOW_HTTPS_RR) {

+      return true;

+    }

+

     // Skip using HTTPS RR to upgrade when this is not a top-level load and the

     // loading principal is http.

     if ((mLoadInfo->GetExternalContentPolicyType() !=

       return true;

     }

+    auto dnsStrategy = GetProxyDNSStrategy();

+    if (dnsStrategy != ProxyDNSStrategy::ORIGIN) {

+      return true;

+    }

+

     nsAutoCString uriHost;

     mURI->GetAsciiHost(uriHost);

     return ContinueOnBeforeConnect(hasHTTPSRR, aStatus, hasHTTPSRR);

   }

-  auto dnsStrategy = GetProxyDNSStrategy();

-  if (!(dnsStrategy & DNS_PREFETCH_ORIGIN)) {

-    return ContinueOnBeforeConnect(aShouldUpgrade, aStatus);

-  }

-

   LOG(("nsHttpChannel::MaybeUseHTTPSRRForUpgrade [%p] wait for HTTPS RR",

        this));

   NS_NewNotificationCallbacksAggregation(mCallbacks, mLoadGroup,

                                          getter_AddRefs(callbacks));

   if (!callbacks) return;

-

-  Unused << gHttpHandler->SpeculativeConnect(

+  bool httpsRRAllowed = !(mCaps & NS_HTTP_DISALLOW_HTTPS_RR);

+  Unused << gHttpHandler->MaybeSpeculativeConnectWithHTTPSRR(

       mConnectionInfo, callbacks,

       mCaps & (NS_HTTP_DISALLOW_SPDY | NS_HTTP_TRR_MODE_MASK |

                NS_HTTP_DISABLE_IPV4 | NS_HTTP_DISABLE_IPV6 |

                NS_HTTP_DISALLOW_HTTP3 | NS_HTTP_REFRESH_DNS),

-      gHttpHandler->EchConfigEnabled());

+      gHttpHandler->EchConfigEnabled() && httpsRRAllowed);

 }

 void nsHttpChannel::DoNotifyListenerCleanup() {

   return classifier.forget();

 }

-uint16_t nsHttpChannel::GetProxyDNSStrategy() {

-  // This function currently only supports returning DNS_PREFETCH_ORIGIN.

-  // Support for the rest of the DNS_* flags will be added later.

-

-  if (!mProxyInfo) {

-    return DNS_PREFETCH_ORIGIN;

+ProxyDNSStrategy nsHttpChannel::GetProxyDNSStrategy() {

+  // When network_dns_force_use_https_rr is true, return DNS_PREFETCH_ORIGIN.

+  // This ensures that we always perform HTTPS RR query.

+  nsCOMPtr<nsProxyInfo> proxyInfo(static_cast<nsProxyInfo*>(mProxyInfo.get()));

+  if (!proxyInfo || StaticPrefs::network_dns_force_use_https_rr()) {

+    return ProxyDNSStrategy::ORIGIN;

   }

-  uint32_t flags = 0;

-  nsAutoCString type;

-  mProxyInfo->GetFlags(&flags);

-  mProxyInfo->GetType(type);

-

   // If the proxy is not to perform name resolution itself.

-  if (!(flags & nsIProxyInfo::TRANSPARENT_PROXY_RESOLVES_HOST)) {

-    if (type.EqualsLiteral("socks")) {

-      return DNS_PREFETCH_ORIGIN;

-    }

-  }

-

-  return 0;

+  return GetProxyDNSStrategyHelper(proxyInfo->Type(), proxyInfo->Flags());

 }

 // BeginConnect() SHOULD NOT call AsyncAbort(). AsyncAbort will be called by

   }

   bool trrEnabled = false;

+  auto dnsStrategy = GetProxyDNSStrategy();

   bool httpsRRAllowed =

       !LoadBeConservative() && !(mCaps & NS_HTTP_BE_CONSERVATIVE) &&

       !(mLoadInfo->TriggeringPrincipal()->IsSystemPrincipal() &&

         mLoadInfo->GetExternalContentPolicyType() !=

             ExtContentPolicy::TYPE_DOCUMENT) &&

+      dnsStrategy == ProxyDNSStrategy::ORIGIN &&

       !mConnectionInfo->UsingConnect() && canUseHTTPSRRonNetwork(trrEnabled) &&

       StaticPrefs::network_dns_use_https_rr_as_altsvc();

   if (!httpsRRAllowed) {

     ReEvaluateReferrerAfterTrackingStatusIsKnown();

   }

-  rv = MaybeStartDNSPrefetch();

-  if (NS_FAILED(rv)) {

-    auto dnsStrategy = GetProxyDNSStrategy();

-    if (dnsStrategy & DNS_BLOCK_ON_ORIGIN_RESOLVE) {

-      // TODO: Should this be fatal?

-      return rv;

-    }

-    // Otherwise this shouldn't be fatal.

-    return NS_OK;

-  }

+  MaybeStartDNSPrefetch();

   rv = CallOrWaitForResume(

       [](nsHttpChannel* self) { return self->PrepareToConnect(); });

   return NS_OK;

 }

-nsresult nsHttpChannel::MaybeStartDNSPrefetch() {

+void nsHttpChannel::MaybeStartDNSPrefetch() {

   // Start a DNS lookup very early in case the real open is queued the DNS can

   // happen in parallel. Do not do so in the presence of an HTTP proxy as

   // all lookups other than for the proxy itself are done by the proxy.

   // timing we used.

   if ((mLoadFlags & (LOAD_NO_NETWORK_IO | LOAD_ONLY_FROM_CACHE)) ||

       LoadAuthRedirectedChannel()) {

-    return NS_OK;

+    return;

   }

   auto dnsStrategy = GetProxyDNSStrategy();

   LOG(

       ("nsHttpChannel::MaybeStartDNSPrefetch [this=%p, strategy=%u] "

        "prefetching%s\n",

-       this, dnsStrategy,

+       this, static_cast<uint32_t>(dnsStrategy),

        mCaps & NS_HTTP_REFRESH_DNS ? ", refresh requested" : ""));

-  if (dnsStrategy & DNS_PREFETCH_ORIGIN) {

+  if (dnsStrategy == ProxyDNSStrategy::ORIGIN) {

     OriginAttributes originAttributes;

     StoragePrincipalHelper::GetOriginAttributesForNetworkState(

         this, originAttributes);

     if (mCaps & NS_HTTP_REFRESH_DNS) {

       dnsFlags |= nsIDNSService::RESOLVE_BYPASS_CACHE;

     }

-    nsresult rv = mDNSPrefetch->PrefetchHigh(dnsFlags);

-    if (dnsStrategy & DNS_BLOCK_ON_ORIGIN_RESOLVE) {

-      LOG(("  blocking on prefetching origin"));

-

-      if (NS_WARN_IF(NS_FAILED(rv))) {

-        LOG(("  lookup failed with 0x%08" PRIx32 ", aborting request",

-             static_cast<uint32_t>(rv)));

-        return rv;

-      }

-

-      // Resolved in OnLookupComplete.

-      mDNSBlockingThenable = mDNSBlockingPromise.Ensure(__func__);

-    }

+    Unused << mDNSPrefetch->PrefetchHigh(dnsFlags);

     bool unused;

     if (StaticPrefs::network_dns_use_https_rr_as_altsvc() && !mHTTPSSVCRecord &&

                                         });

     }

   }

-

-  return NS_OK;

 }

 NS_IMETHODIMP

   // Connections will only be established in this function.

   // (including DNS prefetch and speculative connection.)

   void MaybeResolveProxyAndBeginConnect();

-  nsresult MaybeStartDNSPrefetch();

-

-  // Tells the channel to resolve the origin of the end server we are connecting

-  // to.

-  static uint16_t const DNS_PREFETCH_ORIGIN = 1 << 0;

-  // Tells the channel to resolve the host name of the proxy.

-  static uint16_t const DNS_PREFETCH_PROXY = 1 << 1;

-  // Will be set if the current channel uses an HTTP/HTTPS proxy.

-  static uint16_t const DNS_PROXY_IS_HTTP = 1 << 2;

-  // Tells the channel to wait for the result of the origin server resolution

-  // before any connection attempts are made.

-  static uint16_t const DNS_BLOCK_ON_ORIGIN_RESOLVE = 1 << 3;

+  void MaybeStartDNSPrefetch();

   // Based on the proxy configuration determine the strategy for resolving the

   // end server host name.

-  // Returns a combination of the above flags.

-  uint16_t GetProxyDNSStrategy();

+  ProxyDNSStrategy GetProxyDNSStrategy();

   // We might synchronously or asynchronously call BeginConnect,

   // which includes DNS prefetch and speculative connection, according to

   const char* ProxyPassword() const {

     return mProxyInfo ? mProxyInfo->Password().get() : nullptr;

   }

+  uint32_t ProxyFlag() const {

+    uint32_t flags = 0;

+    if (mProxyInfo) {

+      mProxyInfo->GetFlags(&flags);

+    }

+    return flags;

+  }

   const nsCString& ProxyAuthorizationHeader() const {

     return mProxyInfo ? mProxyInfo->ProxyAuthorizationHeader() : EmptyCString();

     return;

   }

-  if (aFetchHTTPSRR && NS_SUCCEEDED(aTrans->FetchHTTPSRR())) {

-    // nsHttpConnectionMgr::DoSpeculativeConnection will be called again when

-    // HTTPS RR is available.

+  ProxyDNSStrategy strategy = GetProxyDNSStrategyHelper(

+      aEnt->mConnInfo->ProxyType(), aEnt->mConnInfo->ProxyFlag());

+  // Speculative connections can be triggered by non-Necko consumers,

+  // so add an extra check to ensure HTTPS RR isn't fetched when a proxy is

+  // used.

+  if (aFetchHTTPSRR && strategy == ProxyDNSStrategy::ORIGIN &&

+      NS_SUCCEEDED(aTrans->FetchHTTPSRR())) {

+    // nsHttpConnectionMgr::DoSpeculativeConnection will be called again

+    // when HTTPS RR is available.

     return;

   }

     }

   }

-  return SpeculativeConnect(ci, aCallbacks);

+  // When ech is enabled, always do speculative connect with HTTPS RR.

+  return MaybeSpeculativeConnectWithHTTPSRR(ci, aCallbacks, 0,

+                                            EchConfigEnabled());

 }

 NS_IMETHODIMP

     return mConnMgr->GetSocketThreadTarget(target);

   }

-  [[nodiscard]] nsresult SpeculativeConnect(nsHttpConnectionInfo* ci,

-                                            nsIInterfaceRequestor* callbacks,

-                                            uint32_t caps = 0,

-                                            bool aFetchHTTPSRR = false) {

+  [[nodiscard]] nsresult MaybeSpeculativeConnectWithHTTPSRR(

+      nsHttpConnectionInfo* ci, nsIInterfaceRequestor* callbacks, uint32_t caps,

+      bool aFetchHTTPSRR) {

     TickleWifi(callbacks);

     RefPtr<nsHttpConnectionInfo> clone = ci->Clone();

     return mConnMgr->SpeculativeConnect(clone, callbacks, caps, nullptr,

-                                        aFetchHTTPSRR | EchConfigEnabled());

+                                        aFetchHTTPSRR);

   }

   [[nodiscard]] nsresult SpeculativeConnect(nsHttpConnectionInfo* ci,

+/* This Source Code Form is subject to the terms of the Mozilla Public

+ * License, v. 2.0. If a copy of the MPL was not distributed with this

+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

+

+// Test when socks proxy is registered, we don't try to resolve HTTPS record.

+// Steps:

+// 1. Use addHTTPSRecordOverride to add an override for service.com.

+// 2. Add a proxy filter to use socks proxy.

+// 3. Create a request to load service.com.

+// 4. See if the HTTPS record is in DNS cache entries.

+

+"use strict";

+

+const gDashboard = Cc["@mozilla.org/network/dashboard;1"].getService(

+  Ci.nsIDashboard

+);

+const pps = Cc["@mozilla.org/network/protocol-proxy-service;1"].getService();

+

+add_task(async function setup() {

+  Services.prefs.setBoolPref("network.dns.native_https_query", true);

+  Services.prefs.setBoolPref("network.dns.native_https_query_win10", true);

+  const override = Cc["@mozilla.org/network/native-dns-override;1"].getService(

+    Ci.nsINativeDNSResolverOverride

+  );

+

+  let rawBuffer = [

+    0, 0, 128, 0, 0, 0, 0, 1, 0, 0, 0, 0, 7, 115, 101, 114, 118, 105, 99, 101,

+    3, 99, 111, 109, 0, 0, 65, 0, 1, 0, 0, 0, 55, 0, 13, 0, 1, 0, 0, 1, 0, 6, 2,

+    104, 50, 2, 104, 51,

+  ];

+  override.addHTTPSRecordOverride("service.com", rawBuffer, rawBuffer.length);

+  override.addIPOverride("service.com", "127.0.0.1");

+  registerCleanupFunction(() => {

+    Services.prefs.clearUserPref("network.dns.native_https_query");

+    Services.prefs.clearUserPref("network.dns.native_https_query_win10");

+    Services.prefs.clearUserPref("network.dns.localDomains");

+    override.clearOverrides();

+  });

+});

+

+function makeChan(uri) {

+  let chan = NetUtil.newChannel({

+    uri,

+    loadUsingSystemPrincipal: true,

+    contentPolicyType: Ci.nsIContentPolicy.TYPE_DOCUMENT,

+  }).QueryInterface(Ci.nsIHttpChannel);

+  chan.loadFlags = Ci.nsIChannel.LOAD_INITIAL_DOCUMENT_URI;

+  return chan;

+}

+

+function channelOpenPromise(chan, flags) {

+  return new Promise(resolve => {

+    function finish(req, buffer) {

+      resolve([req, buffer]);

+    }

+    chan.asyncOpen(new ChannelListener(finish, null, flags));

+  });

+}

+

+async function isRecordFound(hostname) {

+  return new Promise(resolve => {

+    gDashboard.requestDNSInfo(function (data) {

+      let found = false;

+      for (let i = 0; i < data.entries.length; i++) {

+        if (

+          data.entries[i].hostname == hostname &&

+          data.entries[i].type == Ci.nsIDNSService.RESOLVE_TYPE_HTTPSSVC

+        ) {

+          found = true;

+          break;

+        }

+      }

+      resolve(found);

+    });

+  });

+}

+

+async function do_test_with_proxy_filter(filter) {

+  pps.registerFilter(filter, 10);

+

+  let chan = makeChan(`https://service.com/`);

+  await channelOpenPromise(chan, CL_EXPECT_LATE_FAILURE | CL_ALLOW_UNKNOWN_CL);

+

+  let found = await isRecordFound("service.com");

+  pps.unregisterFilter(filter);

+

+  return found;

+}

+

+add_task(async function test_proxyDNS_do_leak() {

+  let filter = new NodeProxyFilter("socks", "localhost", 443, 0);

+

+  let res = await do_test_with_proxy_filter(filter);

+

+  Assert.ok(res, "Should find a DNS entry");

+});

+

+add_task(async function test_proxyDNS_dont_leak() {

+  Services.dns.clearCache(false);

+

+  let filter = new NodeProxyFilter(

+    "socks",

+    "localhost",

+    443,

+    Ci.nsIProxyInfo.TRANSPARENT_PROXY_RESOLVES_HOST

+  );

+

+  let res = await do_test_with_proxy_filter(filter);

+

+  Assert.ok(!res, "Should not find a DNS entry");

+});

 ["test_proxy_pac.js"]

+["test_proxyDNS_leak.js"]

+skip-if = [

+  "os == 'android'",

+  "socketprocess_networking",

+]

+

 ["test_proxyconnect.js"]

 skip-if = [

   "tsan",

   new_cont.setAttribute("id", "dns_content");

   for (let i = 0; i < data.entries.length; i++) {

+    // TODO: Will be supported in bug 1889387.

+    if (data.entries[i].type != Ci.nsIDNSService.RESOLVE_TYPE_DEFAULT) {

+      continue;

+    }

+

     let row = document.createElement("tr");

     row.appendChild(col(data.entries[i].hostname));

     row.appendChild(col(data.entries[i].family));

...	...	@@ -2392,7 +2392,9 @@ nsresult nsHttpHandler::SpeculativeConnectInternal(
2392	2392	}
2393	2393	}
2394	2394
2395		- return SpeculativeConnect(ci, aCallbacks);
	2395	+ // When ech is enabled, always do speculative connect with HTTPS RR.
	2396	+ return MaybeSpeculativeConnectWithHTTPSRR(ci, aCallbacks, 0,
	2397	+ EchConfigEnabled());
2396	2398	}
2397	2399
2398	2400	NS_IMETHODIMP

Pier Angelo Vendrame pushed to branch mullvad-browser-128.8.0esr-14.0-1 at The Tor Project / Applications / Mullvad Browser

Commits:

15 changed files:

Changes: